Privacy Questions and Answers
This notice describes how npm, Inc., or npm for short, collects and uses data about you.
- What's most important?
- How does npm collect data about me?
- What data does npm collect about me, and why?
- Does npm share data about me with others?
- How can I make choices about data collection?
- Where does npm keep data about me?
- How does npm handle data under the EU General Data Protection Regulation?
- How does npm handle data under the California Consumer Privacy Act?
- How can I see what data is publicly available about me?
- How can I change data about me?
- What is npm's policy on unpublishing packages?
- How does npm notify others about published data that's erased?
- What happens if npm merges with or is bought by another company?
- What are npm's information practices regarding information belonging to children?
- Who can I contact about npm and my privacy?
- How can I find out about changes?
That depends on your personal situation, which is why you should read on and decide for yourself. But at a minimum, absolutely every npm user should understand:
The npm public registry is for making software available to everyone online.
But: Software comes from people, and says something about us.
So: Think carefully about what packages to publish, what data you put in those packages, and what others might do with that data.
When you create an account, certain contact information is displayed publicly in the npm platform. And when you upload a package, your name and contact information may become associated with that package.
If you find yourself in a jam, email firstname.lastname@example.org.
npm collects data about you:
when you use the npm command, the npx command or another program to access the npm public registry, Enterprise registries that npm hosts, private packages, such as when you're publishing a software package, and APIs for functionality like account and permissions management
when you browse the npm website, npmjs.com
when you use either the npm command or the website to create an npm account, update your account, and sign up for npm services
when you send support, privacy, legal, and other requests to npm
when working with and researching current and potential customers
When researching potential customers, npm staff sometimes search the public World Wide Web or paid business databases. Otherwise, npm doesn't buy or receive data about you from data brokers or other private services.
npm may inadvertently collect data about you if it is included in software packages that you or others upload.
When you use the
npm command, the
npx command, or other software to work
with the npm public registry, an Enterprise registry that npm hosts, or
private packages, npm logs data that might be identified to you:
a random, unique identifier, called
npm-session, for each time you run commands like
the names and versions of your project's dependencies, their dependencies, and so on, that come from the npm public registry, but not of other dependencies, like Git dependencies
the versions of Node.js, the npm command, and the operating system you are using
npm-in-ciheader, showing whether the command was run on a continuous integration server
the scope of the package for which you ran
npm install, as an
referrerheader that shows the command you ran, with any file or directory paths redacted
data about the software you're using to access the registry, such as the
network request data, such as the date and time, your IP address, and the URL
npm uses this data to:
fulfill your requests, such as by sending the packages you ask for
send you alerts about security vulnerabilities that may affect the software you're building, when you run
keep registries working quickly and reliably
debug and develop the
npmcommand and other software
defend registries from abuse and technical attacks
compile statistics on package usage and popularity
prepare reports on trends in the developer community
improve search results on the website
recommend packages that may be relevant to your work
your IP address
your preferred language
the web browser software you use
the kind of computer you use
the website that referred you
npm uses data about how you use the website to:
optimize the website, so that it's quick and easy to use
diagnose and debug technical errors
defend the website from abuse and technical attacks
compile statistics on package popularity
compile statistics on the kinds of software and computers visitors use
compile statistics on visitor searches and needs, to guide development of new website pages and functionality
decide who to contact about about product announcements, service changes, and new features
Many features of npm services require an npm account. For example, you must have an npm account to publish packages to the npm public registry.
To create an npm account, npm requires a working email address and an available user name. npm uses this data to provide you access to features and identify you across npm services, publicly and within npm.
You do not have to give your personal or legal name to create an npm account. You can use a pseudonym instead. You can also open more than one account.
If you sign up for an account, then npm will publish account data for the whole world to see on user pages like this one. npm also publishes account data through the npm public registry, which is available for everyone to see, and Enterprise registries that npm hosts for others to find with commands like npm owner ls tap.
If you give npm a personal name or names on social media like GitHub and Twitter through the website, like when you include this on your profile or user page, npm publishes that data along with the email address and user name for the account. You don't have to give npm a personal name or any social media names, and you can remove this data at any time by updating your user page.
npm uses your email to:
notify you about packages published using your account
reset your password and help keep your account secure
add metadata to packages that you publish
contact you in special circumstances related to your account or packages
contact you about support requests
contact you about legal requests, like DMCA takedown requests and privacy complaints
announce new npm product offerings, service changes, and features
send you tips about how to better use free and paid services
send you messages about paid services you might want
When you use npm publish or other software to publish packages to the npm public registry, an Enterprise registry that npm hosts, or as a private package, npm collects the contents of the package, plus metadata, including your account data. Other npm users may also publish packages that include data about you, such as the fact that you contributed code to a package.
npm uses data in packages to provide those packages to you and others who request them:
When you publish a package to the npm public registry, or change a package from private to public, npm makes the package and metadata available to everyone, online.
When you publish a package to an Enterprise registry that npm hosts, or as a private package, npm makes all of that data available to other users according to how the registry or the private packages account is configured. You may be able to configure who can access the package, or that may be up to others, such as the administrator of your company's Enterprise registry.
Making package data available to others allows them to download, build on, and depend on your work.
To sign up for paid services, npm requires your payment card data. npm itself does not collect or store enough information to charge your card itself. Rather, Stripe collects that data on npm's behalf, and gives npm security tokens that allow npm to create charges and subscriptions.
npm uses your payment card data only to charge for npm services.
npm instructs Stripe to store your payment card data only as long as you use paid npm services.
npm collects data about you when you send npm support requests, legal complaints, privacy inquiries, and business inquiries. Those data usually include your name and email address, and may include your company or other affiliation.
npm uses contact data to:
respond to you
compile aggregate statistics about correspondence
train support staff and other npm personnel
review the performance of npm personnel who respond
defend npm from legal claims
npm collects data about visits, user accounts, and forum data on npm.community, the discussion forum for users of npm products and services. npm uses data from npm.community to collaborate with the development community, and to inform development decisions about the command-line interface and other software.
npm shares account data with others as mentioned in the section about account data.
npm shares package data with others as mentioned in the section about package data.
npm publishes posts and other content you submit to npm.community.
npm does not sell information about you to others. However, npm uses services provided by other companies to provide npm services. The types of service providers that npm uses include:
Companies that enable us to offer features on our website, such as to display your avatar
Companies that facilitate the efficient distribution of content
Cloud computing platforms and services that host our discussion forums
Services that assist with the detection of spam, scams, abuse others, or other violations of our terms of service
Platforms to help us receive, manage, and respond to support requests
Platforms for internal communication
By using the website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use the website.
You choose what data the npm publish command includes in package data.
You can use an .npmignore
file in your package to keep specific files out of the package. You can
also use a files list in package.json
instruct npm to include only specific files that you name, in addition
to standard files like
LICENSE files, and package.json.
To double check the data that you will share in a package that you plan
to publish, run the
npm publish --dry-run command. If you are running
an older version of the npm command, run the npm pack command to create a
then check its contents, such as with
tar tvzf $tarball.
To publish a package to the npm public registry, npm's terms of service require you to license npm to share it. If a package is made public, it is available for everyone online to see. However, your choice of public license for your package may affect what others can do with data about you in your package.
npm does not respond to the Do Not Track HTTP header.
npm stores account data, data about website use, data about registry use, and private packages on servers in the United States of America. metadata about those packages worldwide, via content delivery networks.
npm stores package data published to Enterprise registries that npm hosts, plus metadata about them, in cloud computing zones of customers' choosing.
By using the npm platform, you consent to the collection and storage of your data as outlined in this section.
npm respects privacy rights under Regulation (EU) 2016/679, the European Union's General Data Protection Regulation (GDPR). npm processes "Personal Data" on the following legal bases: (1) with your consent; (2) as necessary to perform our agreement to provide our services; and (3) as necessary for our legitimate interests in providing our services where those interests do not override your fundamental rights and freedom related to data privacy. Information we collect may be transferred to, and stored and processed in, the United States or any other country in which we or our affiliates or subcontractors maintain facilities, as described above.
If you reside in the EEA, Switzerland, or United Kingdom, you are entitled to certain rights, like the right to:
complain about our data collection or processing actions with the supervisor authority concerned. You can find a list of data protection authorities here.
access to information held about you.
ask us to correct or amend inaccurate or incomplete information we have about you.
ask us to erase data that under certain circumstances, like (1) when it is no longer necessary for the purpose for which it was collected, (2) you withdraw consent and no other legal basis for processing exists, or (3) you believe your fundamental rights to data privacy and protection outweigh our legitimate interest in continuing the processing.
request that we restrict our processing if we are processing your data based on legitimate interests or the performance of a task in the public interest as an exercise of official authority (including profiling); using your data for direct marketing (including profiling); or processing your data for purposes of scientific or historical research and statistics.
When you exercise your rights, npm may need to verify your identity and provide us with information before we access records containing your information. If you want to exercise your rights, please contact npm at email email@example.com. We may have a reason under the law why we do not have to comply with your request or may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.
npm respects the rights of California residents under the California Consumer Privacy Act (CCPA)]. Where we collect information that is subject to the CCPA, that information we collect and your rights are described below.
Categories of personal information we collect:
Name and email address when you create an account. You will also be asked to create a username and we will assign one or more unique identifiers to your profile. We use this information to provide our services, respond to your requests, and send information to you.
We also collect your social media handle and basic account information if you provide it to us or interact with our services, such as our help desk, through social media.
We collect your payment information through our service provider, Stripe, as described above.
Internet or Other Electronic Network Activity Information: device identifiers such as IP address and user agent; the assigned unique IDs in cookies (as described below); information about how you arrived at and navigated through our Services.
Geolocation Data: We do not collect your specific longitude and latitude. However, we do collect imprecise location (e.g., your IP address).
Professional or employment-related information: If you apply for employment with us, information about your employment history.
Education information: If you apply for employment with us, information about your educational history.
We may collect any other information about you contained in software packages uploaded to our site, as described above under the "npm collects package data" section. We also collect the contents of your communications with us, e.g., when you submit a question to us through a web form or comments to us on social media.
We may disclose any of the categories of personal information listed above and use them for the above-listed purposes or for other business or operational purposes compatible with the context in which the personal information was collected. Our disclosures of personal information include disclosures to our "service providers," which are companies that we engage for business purposes to conduct activities on our behalf. The categories of service providers with whom we share information and the services they provide are described below.
Rights under CCPA:
Access/Right to Know: You have the right to request access to personal information we collected about you and information regarding the source of that personal information, the purposes for which we collect it, and the third parties and service providers with whom we share it.
Deletion: You have the right to request that we erase data we have collected from you. Please note that we may have a reason to deny your deletion request or delete data in a more limited way than you anticipated, e.g., because of a legal obligation to retain it.
To exercise your rights above, you can email us at firstname.lastname@example.org. When we process your request, we must verify your identity by asking you to (1) provide personal identifiers that we can match against information we may have collected from you previously; and (2) confirm your request using the email stated in the request.
Opt-out of sale:
California residents have the right to request that we stop "selling" their personal information. A "sale" of personal information is defined broadly: "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration." We do not sell your information as defined by the CCPA.
Please note that your right to opt out does not apply to our sharing of personal information with service providers, who are parties we engage to perform a function on our behalf and are contractually obligated to use the Personal Information only for that function.
You can access your account data at any time by visiting your account page on www.npmjs.com. Your account page also lists all the packages published under your account or other accounts.
You can access package data by downloading the packages, as long as they're public or you have permission to access them.
You can change your personal account data and payment card data at any time by visiting your account settings page on www.npmjs.com. You can change account and payment data for Enterprise by contacting support.
You can close your npm account at any time by e-mailing contacting support. Closing your account removes the profile from the public registry but does not automatically erase packages published under your account. We may retain some data about you internally even where you close your account.
npm's unpublish policy determines when you can erase packages from the npm public registry. The unpublish policy strikes a difficult balance between the purpose of publishing and hosting packages, others' reliance on what has been made public, and individual rights and freedoms.
If another user improperly publishes personal data about you, in a package or otherwise, email email@example.com.
Please note that while npm publishes notices about published data that's been erased, npm can't make everyone who has downloaded published package data or account data erase that data on your behalf. Choosing a public license, such as an open source software license, may encourage and allow storage, distribution, and use of package data indefinitely. Nearly all popular open source software licenses actually require preserving personal data that attributes the software to you, such as copyright notices, as a condition of permission for the software.
If you accidentally publish a package that threatens your privacy, or discover someone else has published a package that does, email firstname.lastname@example.org immediately. npm can and will take down packages in specific, exceptional situations to protect you, especially if others violate your privacy. Using npm to violate others' privacy is against our terms of service.
npm takes a few steps to notify others who may be copying data from the npm public registry that published data has been erased:
npm publishes new placeholder versions of some erased packages, with
READMEfiles that mention the package has been erased, and why.
npm's registry APIs, special software services that others use to copy data from the npm public registry, send update messages about packages that have been erased.
We may transfer to another entity or its affiliates or service providers some or all information about you in connection with, or during negotiations of, any merger, acquisition, sale of assets or any line of business, change in ownership control, or financing transaction. We cannot promise that an acquiring party or the merged entity will have the same privacy practices or treat your information the same as described in this Policy.
npm's site and services are intended for users age sixteen and older. npm does not knowingly collect information from children. If we discover that we have inadvertently collected information from anyone younger than the age of 16, we will delete that information.
You may email us directly at email@example.com with the subject line "Privacy Concerns." You may also contact our Data Protection Officer directly.
Our United States HQ:
GitHub Data Protection Officer
Attention: npm Data Protection
88 Colin P. Kelly Jr. St.
San Francisco, CA 94107
or our EU Office:
1017 HL Amsterdam
This version of npm's privacy questions and answers took effect June 3, 2020.
npm will announce the next version on the npm blog. In the meantime, npm may update its contact information by updating the page at https://www.npmjs.com/policies/privacy, without an announcement. npm may change how it announces changes in future privacy versions.
You can review the history of changes in the Git repository for npm's public policies.